When designing their information systems, organisations are commonly assumed
to be confronted with a stark choice between identification of their clients on
the one hand and anonymity on the other. Identification assures accountability
but threatens privacy; whereas anonymity protects privacy but undermines
accountability.

This article identifies and explains the spectrum of intermediate alternatives,
which involve pseudonymity and varying degrees of authentication. The
selection of appropriate alternatives, in most circumstances intermediate
between the extremes of identification and anonymity, is argued to be critical
to the establishment of trust in electronic commerce, and to the maintenance of
social and democratic freedoms.

1.
Introduction

This paper addresses several related questions. Under what circumstances is
it appropriate for a party to a transaction to know the identity of the other
party? What degree of confidence does a party need as to whether that identity
is correct? What is the scope for transactions and relationships to be
anonymous or pseudonymous, rather than identified?

Discussions about this topic frequently embody the presumption that a stark
choice exists between accountable identification and irresponsible anonymity.
In fact, a rich spectrum of alternatives exists. This paper's purpose is to
present that range of alternatives, and to argue for much better informed and
more careful selection among them.

This article commences by arguing that this issue is vital to the survival of
civic freedoms. It introduces and defines the relevant concepts, and describes
common techniques. It then identifies the spectrum of approaches that is
available to organisations when they design their information systems, and
suggests how organisations can determine which of the spectrum of possibilities
is appropriate in their particular circumstances. The concepts are then
applied to the specific context of the Internet.

2.
The Policy Significance

The power of modern information technology, combined with the intensity of
personal data held by organisations, represents a dire threat to personal
freedoms.
Clarke
(1988) argued that the sole remaining barrier against control by the State
was difficulties with the consistent identification of people. During the
decade since then, many attempts have been made to establish national
identification schemes, to extend existing multiple-purpose schemes, and to
correlate among multiple identifications schemes. As the public has
increasingly appreciated the dangers, these attempts have met considerable
resistance
(PI
1997).

The intensity of data collections about people has been increasing significantly
(Clarke
1996a). There has also been an increasing tendency for organisations to
try to convert anonymous transactions (such as visits to counters, telephone
enquiries and low-value payments) into identified transactions. The reasons
for this include:

the increased scale of social institutions;

the increased distance of those institutions from people;

the reduced trust that each side exhibits in its dealings with the other;

the increased capability of information technology to support data
collection, storage, processing, discovery, use and disclosure; and

the resultant increased dependence by organisations on data-intensive
relationships with, and control over, their clientele.

The privacy interest runs emphatically counter to these attempts to increase
data collections, to convert identified into anonymous transactions, to
correlate identifiers, to impose general-purpose identifiers, and generally to
apply industrial control techniques to the control of people.

Since 1970, legislatures have responded to the threats to privacy by creating
data protection regimes. These are, however, based on a model developed in the
1960s and 1970s, which is commonly referred to as 'Fair Information Practices'.
This approach has maximised convenience to government and business, and has
signally failed to provide protection against rampant information-intensive
procedures, data-collection and data-sharing
(Clarke
1999b). Of the many aspects of privacy protection that are at present
inadequately addressed, I argued in
Clarke
(1999c) that the most critical policy imperatives for the coming century
are the following:

C2K
Policy Imperative No. 1

maximise the use of anonymous transactions, and
resist and reverse conversion of anonymous to identified
transactions

maximise the use of pseudonymous transactions, where
anonymity is not an effective option

preclude identified transactions except where it is
functionally necessary, or where meaningful, informed consent exists

C2K
Policy Imperative No. 2

enable multiple identities for multiple roles

enable the authentication of pseudonyms

provide legal, organisational and technical protections
against access to the link between a pseudonym and the person behind it

resist and reverse multiple usage of identifiers

resist and reverse the correlation of identifiers

The first of these imperatives denies the increasingly common assumption by
the State and corporations that individuals are to be subjected to the same
efficiency-engendering technologies as are appropriate to manufactured objects.
The second denies the State and corporations alike the ability to consolidate
personal data through the use of common identifiers. It further stresses the
central importance of pseudonymity as a primary means of achieving the
necessary balance between the needs for privacy and for accountability.

3.
Concepts and Terminology

This section identifies and defines each of the concepts used in the
analysis, and relates this author's definitions to those used by other writers.

Identification is a process whereby a real-world entity is
recognised, and its 'identity' established. Real-world entities include
industrial equipment (like lifts and elevators, trucks and cranes); consumer
durables (like ovens and refrigerators); packages, parcels and pallets;
livestock and pets; organisations; and people. The focus in this article is
on organisations and people.

Dictionary definitions of the concept of identity are awkward
(e.g. "the condition of being a specified person" - Oxford, and "the condition
of being oneself ... and not another" - Macquarie). The notion is
operationalised in the abstract world of information systems as a set of
information about an entity that differentiates it from other, similar
entities. The set of information may be as small as a single code,
specifically designed as an identifier, or may be a compound
of such data as given and family name, date-of-birth and postcode of residence.
An organisation's identification process comprises the acquisition of the
relevant identifying information.

Contrary to the presumptions made in many information systems, an
entity does not necessarily have a single identity, but may have multiple
identities. For example, a company may have many business units,
divisions, branches, trading-names, trademarks and brandnames. And many people
are known by different names in different contexts. In some cases, the
intention is dishonourable or criminal; but in most cases the adoption of
multiple personae is neither, but rather reflects the multiple roles people
play in such contexts as their family, their workplace(s), their profession,
community service and art
(Clarke
1994a). The laws of countries such as Britain and Australia in no way
preclude such multiple identities (or aliases, or aka's - for 'also known as').
An act of fraud that depends on the use of multiple or situation-specific
identities is, on the other hand, a criminal offence.

Authentication is a general term referring to the process
whereby a degree of confidence is established about the truth of an
assertion.

A common application of the idea is to the authentication of
identity (Clarke
1995,
1996e).
This is the process whereby an organisation establishes that a party it is
dealing with is:

a previously known real-world entity (in which case it can associate
transactions with an existing record in the relevant information system); or

a previously unknown real-world entity (in which case it may be
appropriate to create a new record in the relevant information system, and
perhaps also to create an organisational identifier for that party).

The nature of identity, identifiers, and identification processes is such
that authentication is never perfect, but rather is more or less reliable. It
is useful to distinguish degrees of assurance about identity.
High-reliability authentication processes are generally costly to all parties
concerned, in terms of monetary value, time, convenience and intrusiveness.
Organisations generally select a trade-off between the various costs,
reliability, and acceptability to the affected individuals.

Although the term 'authentication' is often used as though it related only to
identity, it is a much more general concept. There are many circumstances in
which organisations undertake authentication of value, e.g. by
checking a banknote for forgery-resistant features like metal wires or
holograms, and seeking pre-authorisation of credit-card payments.

Another approach is the authentication of attributes, credentials or
eligibility. In this case, it is not the person's identity that is in
focus, but rather the capacity of that person to perform some function, such as
being granted a discount applicable only to tradesmen or club-members, or a
concessional fee only available to senior citizens or school-children, or entry
to premises that are restricted to adults only.

A further, emergent challenge is the delegation of powers to artificial
intelligences or software agents. This already occurs in automated
telephone, fax and email response; automated re-ordering; and 'program
trading'. Subject to some qualifications, legislatures and courts may be
becoming willing to accept these acts as being binding on the entity concerned,
at least under some circumstances. (A counter-example is, however, the
requirement embodied in
Article
15 of the European Directive of 1995 that decisions adverse to a person
must be reviewed by a human agent prior to being implemented).

3.3
Anonymity

This section builds on the concepts introduced above, in order to
distinguish between identified, anonymous and pseudonymous transactions. Based
on the above discussion:

An identified record or transaction is one in
which the data can be readily related to a particular individual. This may be
because it carries a direct identifier of the person concerned, or because it
contains data which, in combination with other available data, links the data
to a particular person.

At the other extremity from identification is the negation of identification
in transaction details:

An anonymous record or transaction is one whose
data cannot be associated with a particular individual, either
from the data itself, or by combining the transaction with other data.

A great many transactions that people undertake are anonymous, including:

barter transactions;

visits to enquiry counters in government agencies and shops;

telephone enquiries;

cash transactions such as the myriad daily payments for inexpensive goods
and services, gambling and road-tolls;

Some of the reasons that people use anonymity are of dubious social value,
such as avoiding detection of their whereabouts in order to escape
responsibilities. Other reasons are of arguably significant social value, such
as avoiding physical harm, enabling 'whistle-blowing', avoiding unwanted and
unjustified public exposure, and keeping personal data out of the hands of
intrusive marketers and governments.

Some categories of transactions, however, are difficult to conduct on an
anonymous basis, without one or perhaps both of the parties being known to the
other. Examples of transactions where an argument for identification may be
tenable include:

an undertaking by a person to perform some action in the future, such as
repaying a loan;

the provision of a surety to enable the freeing of a person charged with a
crime;

the collection of a token intended to serve as evidence of identity (such
as a passport); and

the collection of a privacy-sensitive document (such as medical
information).

Even in some of these circumstances, however, designs, prototypes and even
operational schemes exist, that enable protection of the parties' interests
without disclosure of the person's identity. See, for example, the anonymous
credit-card scheme of
Low
et al. (1996).

3.4
Pseudonymity

A pseudonymous record or transaction is one that
cannot, in the normal course of events, be
associated with a particular individual.

Hence a transaction is pseudonymous in relation to a particular party if the
transaction data contains no direct identifier for that party, and can only be
related to them in the event that a very specific piece of additional data is
associated with it. The data may, however, be indirectly associated with the
person, if particular procedures are followed, e.g. the issuing of a search
warrant authorising access to an otherwise closed index.

To be effective, pseudonymous mechanisms must involve legal,
organisational and technical protections, such that the link can only
be made (e.g. the index can only be accessed) under appropriate
circumstances.

Pseudonymity is used in some situations to enable conflicting interests to be
satisfied; for example in collections of highly sensitive personal data such
as that used in research into HIV/AIDS transmission. It is capable of being
applied in a great many more situations than it is at present.

Generalising from this example, pseudonymity is used to enable
theprotection of individuals who are at risk of undue
embarrassment or physical harm. Categories of such people include
'celebrities' and 'VIPs' (who are subject to widespread but excessive interest
among sections of the media and the general public, including 'stalkers'),
'battered wives', protected witnesses, and people in security-sensitive
occupations.

Another application of pseudonymity is to reflect the various roles
that people play. For example, on any one day, a person may act as
their private selves, as an employee of an organisation, as an officer of a
professional association, and as an officer of a community organisation. In
addition, a person may have multiple organisational roles (e.g. substantive
position, acting position, various roles on projects and cross-organisational
committees, bank signatory, first-aid officer and fire warden), and multiple
personal roles (e.g. parent, child, spouse, scoutmaster, sporting team-coach,
participant in professional and community committees, writer of
letters-to-the-newspaper-editor, chess-player, and participant in newsgroups,
e-lists, chat-channels).

3.5
The Digital Persona or Nym

In the case of identified transactions, the parties to it are persons. With
anonymous and pseudonymous transactions, the party has an unknown, and even
unknowable, person behind it. A term is needed to refer to such parties.

One possibility is 'pseudo-identifier'. In
Clarke
(1993), the term 'digital persona' was coined for a
purpose very similar to this, and in
Clarke
(1994a) it was defined as "a model of an individual's public personality,
based on data, maintained by transactions, and intended for use as a proxy for
the individual". At about the same time, the term 'e-pers'
(an abbreviation of electronic persona) was suggested. During the last couple
of years, the term 'nym' has been in use to refer to a
pseudo-identity that arises from anonymous and pseudonymous dealings (e.g.
McCullagh
1998-).

The relationship between a nym and the underlying entity may be 1:1, or an
entity may have many nyms (1:n). In addition, allowance must be made for many
entities to use the same nym (n:1).

Technologies exist and are being developed to support multiple digital
personae for a single entity. For example, a very primitive one is
the concept of a 'profile' supported by Version 4 of Netscape Navigator. More
sophisticated technologies are identified at
Clarke
(1999c),
Clarke
(1999d) and
Clarke
(1999e). Under such arrangements, a person sustains separate relationships
with multiple organisations, using separate identifiers, and generating
separate data trails. These can be designed to be very difficult to link; or
they can be designed to provide a mechanism whereby the veil of pseudonymity
can be lifted, subject to appropriate conditions being fulfilled.

In addition, a person may be able to establish multiple relationships
with the same organisation, with a separate digital persona for each
relationship. This may be to reflect the various roles the person
plays when it interacts with that organisation (e.g. contractor, beneficiary,
share-holder, customer, lobbyist, debtor, creditor). Alternatively, it may
merely be to put at rest the minds of people who are highly nervous about the
power of organisations to bring pressure to bear on them.

In the contemporary contexts of highly data-intensive relationships, and
Internet-mediated communications, pseudonymity and multiple nyms are especially
important facets of human identification and information privacy.

3.6
Alternative Definitions

The definitions provided in this section have been used by this author (with
variations) since 1993. Many other authors are non-specific in their usage of
the various terms, sometimes appearing not to appreciate the distinction drawn
by this author between anonymity and pseudonymity. In other cases, the term
'anonymity' is used generically to refer to both what is called here
'anonymity' and what is called here 'pseudonymity' (leaving no term to
describe 'anonymity').

Some other authors are specific about their meanings, but their usage differs
from that adopted by this author.
Froomkin
(1995) uses untraceable anonymity' for what I define as 'anonymity', and
distinguishes 'traceable anonymity' where a person's identity is known but
their profile is not (which I would call 'pseudonymity without an associated
profile'). In addition, Froomkin uses 'traceable pseudonymity' for what I call
'pseudonymity', and coins 'untraceable pseudonymity' for what I would refer to
as 'anonymity using a persistent nym'. Neumann (1996) uses the term
'pseudo-anonymity' for what I call 'pseudonymity'. He applies 'pseudonymity'
to a situation in which multiple nyms may be used by the same person, where
each nym may be (in my terms) either anonymous or pseudonymous.

I suggest that the Froomkin and Neumann terminologies are less straightforward
and useful than those in this paper and its predecessors.

4.
Common Techniques

This section outlines methods that are commonly used in authentication,
anonymity and pseudonymity. A later part of the paper focuses on the Internet
specifically. This section, on the other hand, is generic. It is divided into
segments dealing with each of the circumstances discussed above:

Historically, a person has been identified in a variety of ways, and
authentication has involved some additional procedures. Some examples of
practical approaches are:

in consumer payment transactions, a token (a card) may be
presented, bearing an identifier (a code), together with a representation of
the person's appearance (a photograph) and/or a sample signature (for visual
authentication processes) or an encoded PIN (for automated authentication
processes);

in consumer and citizen telephone and counter services,
an identifier (a customer or client account-code) may be provided, together
with knowledge that only the person concerned is likely to have (e.g. the
person's mother's maiden-name);

in on-line computer services, an identifier that is
readily discoverable (the userid or account-name) is commonly required,
combined with an authenticator that should not be known by anyone other
than the person concerned (the password);

in establishing a new relationship between a customer and a
financial institution, laws in some countries require the presentation
of a set of tokens such as a passport, driver's licence, rates notice and
utilities invoices (the so-called '100-point' scheme); and

where an organisation establishes an identifier for people that it
deals with, it generally performs one kind of authentication on the
first occasion that it deals with each person, but then applies a simpler,
faster and cheaper authentication process on future occasions. This sometimes
involves the issue of, and request for, a token.

It is important to appreciate that a foolproof scheme cannot be devised,
that all schemes depend on tokens that are subject to the 'entry-point
paradox'(Clarke
1994b), and that the term 'proof of identification' is seriously misleading
and should be avoided in favour of the term 'evidence of identity'.

Hand-written signatures are a low quality basis for
authentication, because they are very easily 'spoofed' (i.e. a falsified
signature used in order to create the impression of a valid one) and very
easily 'repudiated' (i.e. the validity of a signature unreasonably denied).
The generic concept of an 'electronic signature' may be
capable of delivering far greater quality than hand-written signatures (though
it also is likely to be imperfect). The strongest such contender at present is
a so-called 'digital signature', based on public key
cryptographic techniques.

For a digital signature to be of high quality (i.e. not readily subject to
spoofing and repudiation), it needs to be generated using a 'private key' that
is held under highly secure conditions by the person concerned, with
trustworthy 'certification authorities' issuing certificates vouching for the
association between the person and their 'public key', and with the onus of
proof, and the assignment of risk in the event of error, made clear through
statute law and/or contract. In order to support this complex arrangement,
Public Key Infrastructure (PKI) is having to be established
(Clarke
1996b).

The private key is long, and it is impractical for it to be memorised in the
way that passwords and PINs are meant to be memorised. There therefore
has to be a means whereby the private key is stored; and it has to be
secure.

The currently most practical device to support storage of a private key is a
chip-card. The private key needs to be protected in some manner, such that
only the owner can use it. One approach is to protect it with a PIN or
password (which would, of course, undermine the presumed security of the long
private key). An emergent approach is for the card itself to refuse access to
the private key, except when the card measures some aspect of the holder's
physical person, and is satisfied that it corresponds sufficiently closely
(using 'fuzzy matching') to the measure pre-stored in the card. Examples of
such 'biometrics' include the patterns formed by rods and
cones on the retina, and the geometry of the thumb.

The imposition of requirements in relation to authentication by digital
signature involves substantial privacy-invasiveness. This was analysed in
Greenleaf
& Clarke (1997). Policy requirements for privacy-sensitive smart-card
applications are expressed in
Clarke
(1997e) and
Clarke
(1998b), and for privacy-sensitive PKI in
Clarke
(1998c).

In conventional business, a range of techniques has been used to check that
an act has purports to have been performed by a particular business entity
actually has been. Letterhead, and call-back
to a number acquired from some other source, are common approaches. The
nominally highest-quality authentication of a corporation's identity and action
has been where the company's seal has been affixed to a
document, and over-signed by authorised officers. This is actually of very low
quality, because both the seal and the signatures are easy to spoof, and
difficult to verify. With the emergence of electronic commerce during the last
quarter-century, the requirements for use of a company seal are in the process
of being rescinded (and the requisite amendments have already been made to the
Australian corporations law).

Electronic signatures in general, and digital signatures in particular, offer
the prospect of far higher levels of confidence. A significant difficulty that
has to be addressed, however, is that, because a business entity cannot itself
act, it is dependent on the actions of one or more humans acting on its behalf.
In addition to the security measures needed in respect of a person's own
digital signature, further measures are needed, in order to reduce the
likelihood of error or fraud by one or more persons, involving misapplication
of the business entity's private key.

A particular challenge that organisations need to cope with is agents acting
on behalf of a principal. Agents may be organisations or individuals. In many
cases there will be a straightforward principal-agent relationship, but in some
circumstances there may be a chain of agency relationships, such as a legal
firm acting for a regional distributor representing the interests of a remote
manufacturer; or an independent assessor acting for an insurer representing a
claimant. The final step in the chain of relationships will generally be a
natural person, and the scope of that person's powers may be in doubt. For
example, a particular employee of a customs agency may be authorised to act on
behalf of many of that company's clients, but not the particular client in
question.

The claims of a business intermediary to be acting on behalf of another
intermediary need to be subjected to testing. Moreover, the claims of a person
to be acting on behalf of a business entity (which may itself be acting as an
intermediary for another business entity) also need to be tested.
Authentication needs to be undertaken of a particular attribute or credential
that reflects the agency relationship, such as a power of attorney, or some
other form of delegation of power to sign contracts.

Analogous arrangements have been envisaged for the electronic context, applying
cryptographic techniques. One approach that can be used is to authenticate the
identity of the individual and/or business entity (as discussed in the
preceding sub-sections), and then check some kind of register of identities
authorised to act on behalf of the relevant business entity. This presumes
that a sufficiently secure infrastructure exists whereby that authorisation
register can be established, maintained, and accessed. However, the approach
has the advantage of building on the (currently emergent) public key
authentication infrastructure. The register might even be implemented in
distributed fashion, by setting an indicator within the person's own signature
chip-card.

Another approach is direct authentication of an authorisation. For example, a
business entity's private key could be used to digitally sign a particular kind
of instrument, which a recipient could confirm (using the business entity's
widely available public key). This would be a more direct mechanism, and would
avoid unnecessary declaration and authentication of the identity of the agent.
It would, on the other hand, involve some risk of appropriation or theft of
what amounts to a bearer instrument.

5.
A Spectrum of Alternatives

It is often presumed that an organisation faces a simple choice between a
transaction in which the parties are identified, or one in which the parties
are anonymous. Recently, an increasing number of authors have begun to
recognise that pseudonymity is feasible.

In fact, there is a substantial spectrum of possibilities that arise from the
combination of identification, anonymity and pseudonymity on the one hand, and
authentication on the other. The spectrum comprises:

identified transactions. In this case, the transaction
data carries an identifier. The following levels of assurance about the
identity are possible:

strongly authenticated. Authentication is undertaken in
such a manner that a high degree of confidence exists that the person or
organisation is who they purported to be;

moderately authenticated. Authentication is undertaken,
but it results in a lower level of confidence, because more risks exist that a
mistake may have been made or a trick successfully played;

weakly authenticated. Limited authentication is
undertaken, which is fairly readily avoided or subverted;

unauthenticated. No authentication of the identifier is
conducted: it is taken at face value;

pseudonymous transactions. In this case, the transaction
data carries a pseudo-identifier or nym, rather than a direct identifier. It
is possible to establish the identity of the party behind the nym, but only if
certain conditions are satisfied. The following levels of assurance of the
linkage between nym and identity are possible:

strongly authenticated. Authentication is undertaken,
and a high degree of confidence exists that the linkage between nym and real
identifier is reliable;

moderately authenticated. Some authentication is
undertaken, resulting in a moderate degree of confidence in the link;

weakly authenticated. Limited authentication is
undertaken, and a low level of confidence exists about the link;

unauthenticated. No authentication is undertaken, and
the link between the nym and the individual or organisation is taken at face
value;

anonymous transactions. In this case, it is not possible
to establish the identity of the party.

A variety of techniques is available to supplement or substitute for
assurance in relation to identification. In particular, the organisation can
protect its interests through authenticating value, or authenticating the
party's attributes or credentials. These can be performed in addition to, or
instead of, authentication of the identity or nym.

In addition, authentication of a persistent nym can be an effective means of
establishing confidence that a series of communications are with the same
person, even though the identity of the person is not reliably known.

Technical means that are designed to support anonymity are referred to as
Privacy-Enhancing Technologies (PETs). See
IPCR
(1995) and Burkert (1997). By design, PETs are privacy-protective, but
deny the most direct form of accountability: the knowledge that the
perpetrator's identity can become known, and hence that retribution is
feasible. Pseudonymity-supporting technical measures are referred to by this
author as Privacy-Sympathetic Technologies (PSTs). They
protect privacy, but also support the direct form of accountability, because
the veil can be lifted. These aspects are discussed in greater depth at
Clarke
(1999c).

6.
Selection Criteria

Organisations have for too long blundered into identified schemes when this
did not reflect the real needs. They need to appreciate the range of
alternatives available to them. In order to make a rational choice among them,
they need to consider a number of factors.

A first matter of importance is the setting within which the particular
transactions take place, and the functional requirements of the
particular information system. Within the context defined by the
requirements and setting, a risk analysis needs to be conducted, to determine
what the harm will be if identities are not gathered, or are inaccurate. It is
important to distinguish between military-style notions of 'absolute assurance'
and the conventional approach adopted in business and government. This ignores
absolute assurance as being unattainable, and in any case extraordinarily
expensive and intrusive. Businesses apply risk-management techniques,
identifying categories of risk that justify incurring costs, and others that
can be satisfactorily addressed by merely monitoring, tolerating and insuring
against them. Authentication needs to provide a degree of confidence
about identity and/or authorisation, commensurate with the risks involved in
them being incorrect or falsified, and balanced against the costs, time,
convenience and intrusiveness involved.

Some key factors that need to be considered in undertaking this kind of risk
analysis are:

whether the system processes sporadic transactions with limited
inter-dependencies among them, or involves an inherently persistent
relationship;

whether a significant incentive exists for individuals to misrepresent
their identity or material information;

whether the degree of potential harm, and of probable harm, to the
organisation is substantial; and

whether there is a significant accountability issue involved, whereby the
other party can be shown to be likely to perform in a much less responsible
manner if they are able to escape the consequences of their actions.

It is all too common for organisations to perform risk analyses only from
the perspective of the organisation itself. In most circumstances, however,
the effectiveness of the system is heavily dependent on the behaviour of
others, and especially of the parties to the transactions. It is therefore
vital that the interests of all stakeholders be factored into
the analysis
(Clarke
1992). Identification and authentication are inherently invasive of
people's privacy, in all its dimensions (Clarke
1988,
1997c,
1997e).
It is especially crucial that the privacy concerns be investigated,
appreciated, and taken into account in designing information systems
(Clarke
1996d).

The argument pursued above should not be misinterpreted as denying that
identification may be appropriate in a few, particular circumstances, such as:

the management of asset risk and accountability, in such areas as loans
(e.g. of cash and of cars), withdrawals and payments from deposit-accounts,
charging to charge-accounts, and double-payment of debts and government
benefits; and

the administration of person-specific actions, such as voting, bail, and
the collection of an ID-Token (e.g. a passport). Note, however, that careful
justification is needed, even in relation to such conventionally mainstream
purposes as the issuance of visas, and air-travel.

7.
Application to the Internet

Given the explosion in Internet usage during the second half of the 1990s,
it is essential that particular attention be paid to the application of
identification, anonymity and pseudonymity in electronic transactions. Email
From: addresses provide only a limited amount of information about the sender,
and are in any case 'spoofable'; IP-addresses provided by web-browsers do not
directly identify the user; and the data stored and transmitted in cookies is
not reliable. Moreover, netizens have shown themselves to be very concerned
about freedoms and privacy (Clarke
1996a,
1996f,
1997a,
1997b,
1998a,
1998d,
1999);
and attempts by an organisation to achieve authentication of an identifier or
pseudonym are subject to an array of countermeasures (e.g.
CACM
1999, Clarke et al.
1998,
Clarke
1998d).

The result is that net transactions are:

effectively anonymous for the vast majority of people
(because the other party does not have the technical capability, the legal
authority, the energy, the time and/or the resources to authenticate the many
identities and nyms it deals with);

effectively 'weakly authenticated pseudonymous' in some
circumstances (because the other party has limited means of tracing
communications, and confirming or denying the identity or nym proffered); and

potentially 'moderately authenticated pseudonymous' in particular
circumstances. These are where a party acquires relevant information
of a sufficient quality, and using appropriate processes, such that it has
evidentiary value. The kinds of information that are needed are described in
Clarke
et al. (1998a), and include IP-addresses used in the relevant messages,
mapping of IP-addresses to physical telephone-sockets or network-ports and
hence to machines, and mapping of individuals to userids. Law enforcement
agencies may have such capabilities, but generally have insufficient resources
to gather the data other than in very important cases. In the case of civil
actions, information may (or may not) be able to be gained through pre-trial
discovery and sub poena
(EPIC
1999).

For some purposes, the low level of identification and authentication
inherent in the Internet creates difficulties. Examples include government
agencies that are seeking a formal undertaking by the other party, e.g. a
declaration by a taxpayer; and businesses that are seeking to establish a
relationship with a customer, perhaps to protect against default by the
customer, and perhaps to enable promotional and selling activities to be
directed at that customer in the future. There are a great many circumstances,
on the other hand, in which the existence of effective anonymity on the
Internet is entirely consistent with the purpose of the interaction, and
entirely workable.

The Internet creates the opportunity for far greater reach for both seller and
buyer (and hence greater 'market depth', greater contestability and
competition, reduced scope for localised monopolies, and hence narrower margins
and decreased stability of supply). With greater reach comes increased
distance between buyer and seller, and hence the loss of conventional
assurances of bona fides.

The growth in consumer electronic commerce has been slow in comparison with
other Internet growth metrics, and many commentators have explained this as
resulting from a lack of trust
(Clarke
1999a). It has been argued by some that the creation of trust is dependent
on transactions being identified; and by others that the imposition of
identification and authentication requirements, far from engendering trust,
will undermine it
(Clarke
1997d).

8.
Conclusions

For the majority of the twentieth century, new technologies have tended to
be privacy-invasive in nature. During the 1990s, Privacy-Enhancing
Technologies (PETs) have emerged. This author has argued for the need also for
Privacy-Sympathetic Technologies (PSTs), as a better means of balancing the
interests of privacy and accountability.

Organisations need to appreciate the spectrum of alternatives that is available
in relation to identification and authentication, to assess their own
requirements and the interests of other stakeholders, to take particular care
concerning the privacy interests of the individuals concerned, and to select an
approach that is appropriate to the circumstances.

Organisations that do so will find that they pay much more attention to
intermediate options such as unauthenticated pseudonymity and authenticated
pseudonymity, in some cases combined with value authentication or attribute
authentication.

References

This document builds on a large body of prior work by the author, and
accordingly involves a large amount of self-reference. Many of the papers
cited provide access to the wider literature, in some cases copiously so.

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.